Apple Pay rival MCX defends security after hackers steal emails

The Merchant Customer Exchange (MCX), a consortium of 58 major U.S. retailers whose mobile payment network will take on the new Apple Pay early in 2015, today held a hastily-organized news conference to address questions about a hack that pilfered consumer email addresses.

The Merchant Customer Exchange (MCX), a consortium of 58 major U.S. retailers whose mobile payment network will take on the new Apple Pay early in 2015, today held a hastily-organized news conference to address questions about a hack that pilfered consumer email addresses.

MCX CEO Dekkers Davison argued that the group was targeted because it was "challenging the status quo" with its mobile payment service, dubbed CurrentC, which largely circumvents credit card companies' profitable transaction fees. "When you poke at a large ecosystem, you should expect attacks," said Davison. "None of this comes as a surprise."

The 30-minute conference call was in response to an admission earlier in the day by MCX that an unknown number of email addresses had been lifted by hackers.

"Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app," the group said early Wednesday in a statement that was also posted on its website.

Merchant participants in MCX, as well as those whose emails had been stolen, were notified, the organization said.

MCX, which is led by Walmart and includes 7-Eleven, Best Buy, Sears and others, is still in the testing stages for its CurrentC mobile payment system. The service and accompanying app are being piloted in several locales -- Davison declined to name where or which merchants were participating in the tests -- and consumers in other locations can register their email address with MCX for additional information as the tests expand and the system rolls out some time early next year.

MCX downplayed the threat to users in its statement and Davison reiterated that in the call with reporters. "Many of these email addresses are dummy accounts used for testing purposes only. The CurrentC app itself was not affected," said MCX spokeswoman Linda Walsh in an email Wednesday.

"There were also some dummy Zip codes," said Davison at one point. At another, however, he refused to answer a similar question. "I have no comment on what other information was stolen. It's premature to comment with investigations ongoing."

By Davison's account -- he repeatedly declined to answer questions about details of the attack, not uncommon when a company acknowledges a hack or breach -- it was not MCX's servers that were targeted, but those of its email provider. Davison would not name that provider.

But he was adamant that the term "breach" was inappropriate as a description of the hack. "This is not a breach. It was only email addresses," Davison said, perhaps defining "breach" narrowly. "We will learn from it. It will not slow us down."

At times defiant, Davison claimed that CurrentC, which will allow merchants to collect and store large amounts of information on -- and the shopping habits of -- their customers, was completely secure.

"We have expected attacks, there have been many attacks," said Davison. "We have been attacked repeatedly in the last seven or eight days." Also during the call, he reiterated what MCX has said before, that data would be stored "on secure servers in the cloud."

The organization, which has promoted CurrentC as safe and secure even as major merchants' systems are increasingly breached in massive thefts, rose to the top of the news earlier this week when iPhone 6 and iPhone 6 Plus owners discovered that two members -- the Rite Aid and CVS pharmacy chains -- had disabled their point-of-sales terminals' NFC (near-field communications) capabilities. That blocked Apple Pay from being used in their stores. For several days last week, those same iPhone users were able to use Apple Pay at the chains' terminals.

CurrentC and Apple Pay not only use different approaches -- CurrentC relies on QR codes displayed on a smartphone's screen, while Apple Pay uses the Touch ID fingerprint scanner to authenticate the customer and NFC to transmit "tokens" between an iPhone and the terminal -- but also different transactional networks.

While Apple Pay ties payments to American Express, MasterCard and Visa credit cards issued by a host of banks, MCX draws money directly from a customer's checking account through the Automated Clearing House (ACH) network. MCX was designed, say analysts, to sidestep credit cards and their transaction fees, part of a battle between large retailers -- Walmart especially -- and Visa and MasterCard that goes back nearly two decades.

"CurrentC is far more secure than alternatives that have been advanced in the last several years," Davison claimed today. "The hack reminds us that there are people motivated to steal information. [But] this will make us stronger."